I believe that friends who often play Trojans will know the characteristics of some Trojans and have their favorite Trojans. However, many friends still do not know what the "DLL Trojan" has emerged in recent years. What is "DLL Trojan? What is the difference between it and a general Trojan?
I. Starting with DLL technology
To understand the DLL Trojan, you must know what the "DLL" means. So, let's trace back to the days when the DOS system became popular. At that time, writing a program was a tedious task, because the code of each program was independent. Sometimes a lot of code was required to implement a function. Later, with the development of programming technology, programmers put a lot of common code sets (General Code) into an independent file and call this file "Library". When writing a program, by adding this library file to the compiler, you can use all the functions contained in this library without having to write a lot of code on your own. This technology is called Static Link ). The static link technology relieved tired programmers, and everything seemed wonderful. But it turns out that beautiful things won't exist for too long, because static links are like a rude salesman. Whether you want a leaflet or not, they are all put into your hands. To write a program, you only need to use a certain graphic effect contained in a library file. Because of this, you have to add all the graphic effects carried by the library file to the program and keep them as vase decoration, this is not important, but these vase blocks the road-static link technology makes the final program into a large header, because the compiler counts the entire library file.
With the development of the times, static link technology, due to inherent drawbacks, cannot meet the needs of programmers. People began to look for a better way to solve the problem of code duplication. Later, the Windows system emerged, and the watershed of the Times finally emerged. Windows systems use a new connection technology, known as Dynamic Link, which also uses library files, microsoft calls them "Dynamic Link Library"-Dynamic Link Library, and the DLL name is like this. The dynamic link itself is no different from the static link itself. It also writes the common code into some independent files. However, in terms of compilation, Microsoft has moved around the circle, instead of adding a library file to a program, the library file is made into a compiled program file and an interface for data exchange is provided. When a programmer writes a program, once a function of a library file is used, the system transfers the library file to the memory, connects to the task process occupied by the program, and then executes the function used by the program, and return the result to the program. In our opinion, it is like the function provided by the program itself. After the required functions are completed, the DLL stops running and the entire call process ends. Microsoft enables these library files to be called by multiple programs and achieves perfect sharing. No matter what programs the programmer wants to write, you only need to add the call declaration to the relevant DLL in the code to use all of its functions. The most important thing is that the DLL will never let you get another vase. You will give it to you if you want anything, and it will not give you anything you don't want. In this way, the written program can no longer carry a lot of garbage-it will never let you take the leftovers home, or it will be fine. This is a buffet. (Figure 1-static link and dynamic link)
The birth of DLL technology makes programming a simple task. Windows provides thousands of function interfaces to meet the needs of most programmers. Moreover, the Windows system itself is composed of thousands of DLL files, which support each other and form a powerful Windows system. What is the size of static link in Windows? I dare not think about it.
2. Application Interface API
Above we made a rough analysis on the DLL technology, in which I mentioned "interface", what is this? Because the DLL cannot be inserted into the program as the static library file, how to let the program know the code and file for implementing the function becomes a problem, Microsoft has made a Standard Specification for the DLL technology, let a DLL file open a lot of holes like a cheese, and each hole indicates the name of the function stored in it. As long as the program finds the relevant holes according to the standard specifications, it can get the delicious taste, this hole is the "Application Programming Interface". The interfaces in each DLL are different, minimizing code duplication.
Using Steven's sentence: the API is a toolbox. You can take out the screwdrivers and wrenches as needed and put them back to the original place.
In Windows, the three most basic DLL files are kernel32.dll, user32.dll, and gdi32.dll. They constitute a basic system framework.
Iii. DLL and Trojan
DLL is the compiled code, which is no big difference from the general program, but it cannot run independently and needs to be called by the program. So what is the relationship between DLL and Trojan? If you have learned programming and written DLL, you will find that the DLL code is almost the same as that of other programs, except that the interface and startup mode are different. You just need to change the code entry, the DLL becomes an independent program. Of course, there is no program logic in the DLL file. This does not mean DLL = EXE. However, you can still regard the DLL as the EXE without the main entry, each function in the DLL can be regarded as several function modules of a program. A dll Trojan is a code that implements the trojan function, and some special code is written as a DLL file to export related APIs. In others' opinion, this is just a common DLL, however, this DLL carries the complete Trojan function, which is the concept of the DLL Trojan. Some people may ask, since the same code can implement the trojan function, you can simply do the program. Why do you need to write the same code as a DLL? This is to hide, because the DLL Runtime is directly linked to the process that calls its program and does not generate other processes. Therefore, compared with the traditional EXE Trojan, it is hard to be found.
Iv. DLL running
Although the DLL cannot be run by itself, Windows requires an entry function when loading the DLL, just like the main of the EXE. Otherwise, the system cannot reference the DLL. Therefore, according to the writing specifications, Windows must find and execute a function in the DLL DllMain as the basis for loading the DLL. This function is not exported as an API, but an internal function. The DllMain function keeps the DLL in the memory. Some DLL does not have the DllMain function, but it can still be used because Windows cannot find DllMain, find a default DllMain function that does not perform any operation from other runtime libraries to start the DLL so that it can be loaded. It does not mean that the DLL can discard the DllMain function.
V. DLL Trojan Technology Analysis
Here, you may think that, since the DLL Trojan has so many advantages, will it be better to write the trojan in the future using the DLL method? Although this is true, the DLL Trojan is not as easy to write as some people think. To write a usable DLL Trojan, you need to learn more.
1. Trojan subject
Never write the trojan module like an API library. This is not a development of WINAPI. The DLL Trojan can export several auxiliary functions, but there must be a process responsible for mainly executing the code. Otherwise, the DLL can only be a bunch of fragmented API functions, not to mention the work.
If some common code is involved, you can write some internal functions in the DLL for your own code, instead of opening all the Code as an interface, so that it is difficult to call itself, it is even less likely to play a role.
The Standard execution portal of the DLL Trojan is DllMain. Therefore, you must write the code for running the DLL Trojan in DllMain or point to the execution module of the DLL Trojan.
2. Dynamic embedding technology
In Windows, each process has its own private memory space. Other processes are not allowed to operate on this private territory. However, in fact, we can still use various methods to access and operate the private memory of the process. This is dynamic embedding, which is a technology that embeds its own code into the running process. There are many types of dynamic embedding, the most common of which are hooks, APIs, and remote thread technologies. Most DLL Trojans currently use remote Thread Technology to hook themselves into a normal system process. In fact, dynamic embedding is not uncommon. The Logitech MouseWare driver hangs on every system process -_-
The remote thread technology is to create a remote thread (RemoteThread) in another process to enter the memory address space of that process. In the scope of DLL Trojans, this technology is also called "injection". When the carrier creates a remote thread in the injected process and commands it to load the DLL, the trojan is mounted and executed. No new process is generated. To stop the trojan, you only need to stop the process that is mounted to the trojan DLL. However, for a long time, we can only pull the Wizard together with assumer.exe. Are you sure you want to disable Windows? (Figure 2--DLL hook)
3. Trojan startup
Some people may be impatient to say that it is okay to directly add this DLL to the system startup project. The answer is NO. As mentioned earlier, DLL cannot run independently, so it cannot be started directly in the startup project. To run a Trojan, an EXE needs to use dynamic embedding technology to connect the DLL to another normal process, so that the embedded process can call the DllMain function of the DLL to stimulate the Trojan to run, finally, start the trojan EXE and start the Trojan.
The EXE that starts the DLL Trojan is an important role. It is called Loader. Without Loader, the DLL Trojan is broken. Therefore, A mature DLL Trojan will find a way to protect its Loader from being so easily destroyed. Do you remember the story of being a zombie? DLL Trojans are the embarrassment of crawling on the wolf Loader.
Handler [DLL name], [function] [parameter]) reference the startup function of this DLL like calling an API to stimulate the trojan module to start execution, even if you kill rundll32, the trojan ontology is still in use. The most common example is the 3721 Chinese real name, although it is not a Trojan. (Figure 3 -- startup Item)
The AppInit_DLLs key of the Registry is also used by some Trojans to start itself, such as a cover letter virus. Using the Registry to start a trojan is to enable the system to execute DllMain. Because it is transferred by kernel, there is a lot of requirement on the stability of this DLL. A slight error will cause the system to crash, so this trojan is rarely seen.
Some of the more specific dlltrojans can be started through svchost.exe. Such DLL Trojans must be written as NT-Service, and the entry function is ServiceMain, which is rarely seen. However, such Trojans are well concealed and Loader is guaranteed.
4. Others
Now, you should have an understanding of the DLL Trojan. Do you really want to write one? Don't worry, I don't know if you have thought about it. Since DLL Trojans are so good, why are there so few DLL Trojans available now? The most important reason is that the DLL Trojan is running by a system process. If it is not well written, for example, if you do not prevent code errors from running or strictly regulate user input, the DLL will crash. Don't be nervous. The general EXE is also finished like this, but the DLL crash will cause the program hanging on it to suffer. Don't forget that it is connected to the system process. The final result is ...... Terrible. Therefore, when writing a DLL Trojan that can be published, it will do more work in troubleshooting than the general EXE Trojan. If you write more, you will be annoyed ......
6. DLL Trojan discovery and Removal
I often check whether there are many inexplicable items in the startup items. This is where Loader is located. If a wolf is killed, it cannot be mad again. It is difficult to find the DLL Trojan Ontology. You need to have some programming knowledge and analysis capabilities, search for the DLL name in the Loader, or check the process for any unfamiliar DLL.